Re: [EXTERNAL] Re: [PATCH] Support using "all" for the db user in pg_ident.conf
Jelte Fennema-Nio <postgres@jeltef.nl>
From: Jelte Fennema <postgres@jeltef.nl>
To: Michael Paquier <michael@paquier.xyz>
Cc: Jelte Fennema <Jelte.Fennema@microsoft.com>, "isaac.morland@gmail.com" <isaac.morland@gmail.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>, Nathan Bossart <nathandbossart@gmail.com>,
Andrew Dunstan <andrew@dunslane.net>
Date: 2023-01-16T10:53:57Z
Lists: pgsql-hackers
Attachments
- v5-0003-Only-expand-1-in-pg_ident.conf-when-not-quoted.patch (application/octet-stream) patch v5-0003
- v5-0004-Support-same-user-patterns-in-pg_ident.conf-as-in.patch (application/octet-stream) patch v5-0004
> Still, I am having a few second thoughts about 0003 after thinking > about it over the weekend. Except if I am missing something, there > are no issues with 0004 if we keep the current behavior of always > replacing \1 even if pg-user is quoted? I would certainly add a new > test case either way. Yes, 0004 is not dependent on 003 at all. I attached a new version of 0003 where only a test and some documentation is added. > Perhaps it would be simpler to use copy_auth_token() in this code path > and always free the resulting token? I initially tried that when working on the patch, but copy_auth_token (surprisingly) doesn't copy the regex field into the new AuthToken. So we'd have to regenerate it conditionally. Making the copy conditional seemed just as simple code-wise, with the added bonus that it's not doing a useless copy. > In the code path where system-user is a regexp, could it be better > to skip the replacement of \1 in the new AuthToken if pg-user is > itself a regexp? The compiled regexp would be the same, but it could > be considered as a bit confusing, as it can be thought that the > compiled regexp of pg-user happened after the replacement? I updated 0004 to prioritize membership checks and regexes over substitution of \1. I also added tests for this. Prioritizing "all" over substitution of \1 is not necessary, since by definition "all" does not include \1.
Commits
-
Add description for new patterns supported in HBA and ident sample files
- 1b43743f1174 16.0 landed
-
Support the same patterns for pg-user in pg_ident.conf as in pg_hba.conf
- efb6f4a4f9b6 16.0 landed
-
Track behavior of \1 in pg_ident.conf when quoted
- 0b717432ff13 16.0 landed
-
Store IdentLine->pg_user as an AuthToken
- 02d3448f4f79 16.0 landed
-
Add tests for regex replacement with \1 in pg_ident.conf to 0003_peer.pl
- e753ae6397fe 16.0 landed
-
Rename some variables related to ident files in hba.{c,h}
- 8607630d74cd 16.0 landed